Download CORSI SPECIALISTICI DI CYBER SECURITY E CYBER

CORSI SPECIALISTICI
DI CYBER SECURITY E
CYBER INTELLIGENCE
INTRODUZIONE
Quanta Formazione, in collaborazione con Field Training
Solutions Ltd, organizza al Quanta Village corsi specialistici
di Cyber Security e Cyber Intelligence.
I corsi - adottati dai dipartimenti governativi tra cui l’Interpol,
la NASA, US Marines Information Assurance Division, US
Air Force e dall’esercito degli Stati Uniti - hanno ricevuto
il più alto livello di accreditamento in materia di sicurezza
informatica, riconosciuto ufficialmente dalla National
Security Agency (NSA) degli Stati Uniti d’America e dal
Comitato sui sistemi di sicurezza nazionale (CNSS).
Grazie alla reale esperienza operativa nel mondo del
Gruppo FSS e al pool di esperti di sicurezza tecnica,
tutti provenienti esclusivamente da reparti tecnici
dell’Intelligence Britannica, la Field Training Solutions
Ltd è stata scelta dal CEO di Mile2® come unico istituto
di formazione accreditato ai servizi di sicurezza per la
distribuzione di materiale protetto da copyright in Europa
occidentale e Sud America.
In Italia, Quanta Formazione è l’unico istituto di formazione
partner FSS.
2
I NOSTRI CORSI
I corsi CISSO (Certified Information Systems Security Officer) e CPTE (Certified
Penetration Testing Engineer) promossi da Quanta/FTS rappresentano
una tipologia di formazione fortemente innovativa nel contesto italiano.
CORSO CISSO
CORSO CPTE
Certified Information Systems Security Officer
Certified Penetration Testing Engineer
Il corso CISSO è progettato per formare Professionisti e Consulenti di Sicurezza informatica, che possano rivestire ruoli chiave nel dipartimento
di Information Security di un’azienda.
Il corso affronta una vasta gamma di best practice di settore e fornisce conoscenze e competenze utili a individuare soluzioni tecniche
e organizzative per garantire la sicurezza del patrimonio informativo
aziendale e implementare e mantenere controlli di sicurezza IT economicamente efficaci e strettamente allineati con le esigenze di business.
Il corso CPTE fornisce conoscenze e competenze necessarie a identificare le vulnerabilità dei sistemi informativi e ad effettuare test di violazione e penetrazione.
Insegna le metodologie e le tecniche più avanzate per prevenire e
contrastare gli attacchi criminali al sistema informativo; consente di migliorare le competenze necessarie per valutare l’opportunità di interventi tesi a ottimizzare i controlli di sicurezza sul patrimonio informativo,
per ridurre le minacce di violazione e i rischi per le aziende.
3
SPECIFICHE DEI CORSI
Staff didattico
ACCREDITAMENTO
Lo staff didattico sarà composto da specialisti operativi del settore
della sicurezza informatica, provenienti dai reparti speciali e dai reparti tecnici dell’Intelligence Britannica.
Al termine dei corsi, previo superamento dell’esame finale, verrà
rilasciata la certificazione ufficiale di Mile2 e FTS Ltd (Authorized
Training Partner di Mile2), riconosciuta da NSA (National Security
Agency), US DOD (Dipartimento della Difesa degli Stati Uniti), Canadian DND (Dipartimento della Difesa del Canada) e CNSS (Comitato sui Sistemi di Sicurezza Nazionale). La certificazione rilasciata da
Mile2 e FTS Ltd equivale alla certificazione CISSP di ISC2.
Metodologia didattica
Le lezioni avranno un carattere intensivo e pratico e saranno accompagnate da laboratori di apprendimento, nel corso dei quali
gli allievi potranno verificare la teoria illustrata e sperimentare attivamente le tecniche apprese. La formazione sarà impartita attraverso il metodo “see one, do one, teach one”, sotto la costante
guida di esperti di Cyber Security.
Questo tipo di approccio sarà supportato da presentazioni powerpoint, studi di casi reali, role play e simulazioni live su internet, programmate e autorizzate.
Gli studenti avranno inoltre obiettivi di lavoro autonomo da condurre individualmente o in team alla fine delle lezioni.
L’esame finale è composto da 150 domande a risposta multipla.
Per ottenere la certificazione ufficiale e l’accreditamento sarà necessario ottenere un punteggio minimo del 75%.
Dopo l’esame, per un anno dalla conclusione del corso, gli studenti
avranno accesso ad un laboratorio informatico virtuale per mettere in pratica e consolidare le nozioni e le metodologie apprese
durante il corso.
Materiale didattico
Ogni allievo riceverà un kit studente contenente 2 manuali, CD con
software del corso, T-shirt e penna
4
CISSO - PROGRAMMA TECNICO DI DETTAGLIO
COURSE DETAILS
Module 1: Risk Management
Module 2: Security Management
Module 3: Authentication
Module 4: Access Control
Module 5: Security Models and Evaluation Criteria
Module 6: Operations Security
Module 7: Symmetric Cryptography and Hashing
Module 8: Asymmetric Cryptography and PKI
Module 9: Network Connections
Module 10: Network Protocols and Devices
Module 11: Telephony, VPNs and Wireless
Module 12: Security Architecture and Attacks
Module 13: Software Development Security
Module 14: Database Security and System Development
Module 15: Business Continuity
Module 16: Disaster Recovery
Module 17: Incident Management, Law, and Ethics
Module 18: Physical Security
5
DETAILED MODULE DESCRIPTION
Module 1 - Risk Management
Qualitative Analysis Steps
Human Resources Issues
What Is the Value of an Asset? -
Management’s Response to Identified Risks
Importance to Security?
What Is a ThreatSource/Agent?
Comparing Cost and Benefit
Recruitment Issues
What Is a Threat?
Cost of a Countermeasure
Termination of Employment
What Is a Vulnerability?
Examples of Some Vulnerabilities that Are Not
Always Obvious
Informing Employees
Module 2 - Security Management
About Security
Enterprise Security Program
Enforcement
What Is a Control?
Building A Foundation
Security Enforcement Issues
What Is Likelihood?
Planning Horizon Components
What Is Impact?
Enterprise Security – The Business Requirements
Control Effectiveness
Enterprise Security Program Components
Agenda
Risk Management
Control Types
Access Control Methodology
Purpose of Risk Management
“Soft” Controls
Access Control Administration
Risk Assessment
Technical or Logical Controls
Accountability and Access Control
Why Is Risk Assessment Difficult?
Physical Controls
Trusted Path
Types of Risk Assessment
Security Roadmap
Who Are You?
Different Approaches to Analysis
Senior Management’s Role in Security
Authentication Mechanisms
Quantitative Analysis
Negligence and Liability
Strong Authentication
ALE Values Uses
Security Roles and Responsibilities
Authorization
Qualitative Analysis - Likelihood
Security Program Components
Access Criteria
Qualitative Analysis - Impact
Security and the Human Factors
Fraud Controls
Qualitative Analysis – Risk Level
Employee Management
Access Control Mechanisms
Module 3 - Authentication
6
Module 4 - Access Control
Agenda
Single Sign-on Technology
Biometrics Technology
Different Technologies
Role of Access Control
Biometrics Enrollment Process
Scripts as a Single Sign-on Technology
Definitions
Downfalls to Biometric Use
Directory Services as a Single Sign-on Technology
More Definitions
Biometrics Error Types
Thin Clients
Layers of Access Control
Biometrics Diagram
Kerberos as a Single Sign-on Technology
Layers of Access Controls
Biometric System Types
Tickets
Access Control Mechanism Examples
Agenda
Kerberos Components Working Together
Access Control Characteristics
Passwords and PINs
Major Components of Kerberos
Preventive Control Types
Password “Shoulds”
Kerberos Authentication Steps
Control Combinations
Password Attacks
Why Go Through All of this Trouble?
Administrative Controls
Countermeasures for Password Cracking
Issues Pertaining to Kerberos
Controlling Access
Cognitive Passwords
SESAME as a Single Sign-on Technology
Other Ways of Controlling Access
One-Time Password Authentication
Federated Authentication
Technical Access Controls
Agenda
Agenda
Physical Access Controls
Synchronous Token
IDS
Accountability
Asynchronous Token Device
Network IDS Sensors
Information Classification
Cryptographic Keys
Types of IDSs
Information Classification Criteria
Passphrase Authentication
Behavior-Based IDS
Declassifying Information
Memory Cards
IDS Response Mechanisms
Types of Classification Levels
Smart Card
IDS Issues
Models for Access
Agenda
Trapping an Intruder
Discretionary Access Control Model
7
Enforcing a DAC Policy
Security Modes of Operation
Common Criteria
Mandatory Access Control Model
System Protection– Levels of Trust
Common Criteria Components
MAC Enforcement Mechanism – Labels
System Protection– Process Isolation
First Set of Requirements
Where Are They Used?
System Protection – Layering
Second Set of Requirements
Role-Based Access Control (RBAC)
System Protection - Application Program Interface
Package Ratings
Acquiring Rights and Permissions
System Protection- Protection Rings
Common Criteria Outline
Rule-Based Access Control
What Does It Mean to Be in a Specific Ring?
Certification vs. Accreditation
Access Control Matrix
Security Models
Access Control Administration
State Machine
Access Control Methods
Information Flow
Operations Issues
Remote Centralized Administration
Bell-LaPadula
Role of Operations
RADIUS Characteristics
Rules of Bell-LaPadula
Administrator Access
RADIUS
Biba
Computer Operations – Systems Administrators
TACACS+ Characteristics
Clark-Wilson Model
Security Administrator
Diameter Characteristics
Non-interference Model
Operational Assurance
Decentralized Access
Brewer and Nash – Chinese Wall
Audit and Compliance
Control Administration
Take-Grant Model
Some Threats to Computer Operations
Trusted Computer System Evaluation Criteria (TCSEC)
Specific Operations Tasks
Module 5 - Security Models and Evaluation Criteria
TCSEC Rating Breakdown
Product Implementation Concerns
System Protection – Trusted Computing Base
Evaluation Criteria - ITSEC
Logs and Monitoring
System Protection– Reference Monitor
ITSEC Ratings
Records Management
Security Kernel Requirements
ITSEC – Good and Bad
Change Control
Module 6 - Operations Security
8
Resource Protection
Data Leakage – Social Engineering
Contingency Planning
Data Leakage – Object Reuse
Caesar Cipher Example
System Controls
Object Reuse
Historical Uses of Symmetric Cryptography: Vige-
Trusted Recovery
Why Not Just Delete File or Format the Disk?
Fault-Tolerance Mechanisms
Data Leakage – Keystroke Logging
Polyalphabetic Substitution
Duplexing, Mirroring, Check Pointing
Data Leakage – Emanation
Vigenere Table Example
Redundant Array of Independent Disks (RAID)
Controlling Data Leakage – TEMPEST
Example Continued
Fault Tolerance
Controlling Data Leakage – Control Zone
Historical Uses of Symmetric Cryptography: Enigma
Redundancy Mechanism
Controlling Data Leakage – White Noise
Backups
Summary
Backup Types
tution Cipher
nere Cipher
Machine
Historical Uses of Symmetric Cryptography: Vernam Cipher
Remote Access
Module 7 - Symmetric Cryptography and Hashing
Facsimile Security
Cryptography Objectives
ning Key and Concealment
Email Security
Cryptographic Definitions
One-Time Pad Characteristics
Before Carrying Out Vulnerability Testing
A Few More Definitions
Binary Mathematical Function
Vulnerability Assessments
Need Some More Definitions?
Key and Algorithm Relationship
Methodology
Symmetric Cryptography – Use of Secret Keys
Why Does a 128-Bit Key Provide More Protection
Penetration Testing
Cryptography Uses Yesterday and Today
Penetration Testing
Historical Uses of Symmetric Cryptography
Ways of Breaking Cryptosystems – Brute Force
Hack and Attack Strategies
Historical Uses of Symmetric Cryptography – Scyta-
Ways of Breaking Cryptosystems – Frequency
Protection Mechanism – Honeypot
Threats to Operations
le Cipher
Historical Uses of Symmetric Cryptography: Substi-
Historical Uses of Symmetric Cryptography: Run-
than a 64-Bit Key?
Analysis
Determining Strength in a Cryptosystem
9
Characteristics of Strong Algorithms
Block Cipher Modes – CBC
Asymmetric
Open or Closed More Secure?
Different Modes of Block Ciphers – ECB
Asymmetric Algorithm – Diffie-Hellman
Types of Ciphers Used Today
Block Cipher Modes – CFB and OFB
Asymmetric Algorithm – RSA
Encryption/Decryption Methods
CFB and OFB Modes
Asymmetric Algorithms – El Gamal and ECC
Type of Symmetric Cipher – Block Cipher
Symmetric Cipher – AES
Example of Hybrid Cryptography
S-Boxes Used in Block Ciphers
Other Symmetric Algorithms
When to Use Which Key
Type of Symmetric Cipher – Stream Cipher
Hashing Algorithms
Using the Algorithm Types Together
Encryption Process
Protecting the Integrity of Data
Digital Signatures
Symmetric Characteristics
Data Integrity Mechanisms
Digital Signature and MAC Comparison
Sender and Receiver Must Generate the Same
Weakness in Using Only Hash Algorithms
What if You Need All of the Services?
More Protection in Data Integrity
U.S. Government Standard
They both must have the same key and IV
MAC – Sender
Why Do We Need a PKI?
Strength of a Stream Cipher
MAC – Receiver
PKI and Its Components
Let’s Dive in Deeper
Security Issues in Hashing
CA and RA Roles
Symmetric Key Cryptography
Birthday Attack
Let’s Walk Through an Example
Symmetric Key Management Issue
Example of a Birthday Attack
Digital Certificates
Keystream
Symmetric Algorithm Examples
Symmetric Downfalls
What Do You Do with a Certificate?
Module 8 - Asymmetric Cryptography and PKI
Components of PKI – Repository and CRLs
Secret Versus Session Keys
Asymmetric Cryptography
Steganography
Symmetric Ciphers We Will Dive Into
Public Key Cryptography Advantages
Key Management
Symmetric Algorithms – DES
Asymmetric Algorithm Disadvantages
Link versus End-to-End Encryption
Evolution of DES
Symmetric versus Asymmetric
End-to-End Encryption
10
E-mail Standards
Topology Type – Ring
Network Technologies
Encrypted message
Topology Type – Star
Network Technologies
Secure Protocols
Network Topologies – Mesh
Network Configurations
SSL and the OSI Model
Summary of Topologies
MAN Technologies – SONET
SSL Hybrid Encryption
LAN Media Access Technologies
Wide Area Network Technologies
SSL Connection Setup
One Goal of Media Access Technologies
WAN Technologies Are Circuit or Packet Switched
Secure E-mail Standard
Transmission Types – Analog and Digital
WAN Technologies – ISDN
SSH Security Protocol
Transmission Types – Synchronous and Asynchro-
ISDN Service Types
Network Layer Protection
nous
WAN Technologies – DSL
IPSec Key Management
Transmission Types – Baseband and Broadband
WAN Technologies– Cable Modem
Key Issues Within IPSec
Two Types of Carrier Sense Multiple Access
WAN Technologies– Packet Switched
IPSec Handshaking Process
Transmission Types– Number of Receivers
WAN Technologies – X.25
SAs in Use
Media Access Technologies - Ethernet
WAN Technologies – Frame Relay
IPSec Is a Suite of Protocols
Media Access Technologies – Token Passing
WAN Technologies – ATM
IPSec Modes of Operation
Media Access Technologies – Polling
Multiplexing
IPsec Modes of Operation
Cabling
Attacks on Cryptosystems
Signal and Cable Issues
More Attacks
Cabling Types – Coaxial
OSI Model
Cabling Types – Twisted Pair
An Older Model
Types of Cabling – Fiber
Data Encapsulation
Network Topologies– Physical Layer
Cabling Issues – Plenum-Rated
OSI – Application Layer
Topology Type – Bus
Types of Networks
OSI – Presentation Layer
Module 9 - Network Connections
Module 10 - Network Protocols and Devices
11
OSI – Session Layer
Firewall Types – Application-Layer Proxy
Protocols – SMTP
Transport Layer
Firewall Types – Stateful
Protocols – FTP, TFTP, Telnet
OSI – Network Layer
Firewall Types – Dynamic Packet-Filtering
Protocols – RARP and BootP
OSI – Data Link
Firewall Types – Kernel Proxies
Network Service – DNS
OSI – Physical Layer
Firewall Placement
Network Service – NAT
Protocols at Each Layer
Firewall Architecture Types – Screened Host
Devices Work at Different Layers
Firewall Architecture Types – Multi- or Dual-Homed
Networking Devices
Firewall Architecture Types – Screened Subnet
PSTN
Repeater
IDS – Second line of defense
Remote Access
Hub
IPS – Last line of defense?
Dial-Up Protocols and Authentication
Bridge
HIPS
Protocols
Switch
Unified Threat Management
Dial-Up Protocol – SLIP
Virtual LAN
UMT Product Criteria
Dial-Up Protocol – PPP
Router
Protocols
Authentication Protocols – PAP and CHAP
Gateway
TCP/IP Suite
Authentication Protocol – EAP
Bastion Host
Port and Protocol
Voice Over IP
Firewalls
Relationship
Private Branch Exchange
Firewall – First line of defense
Conceptual Use of Ports
PBX Vulnerabilities
Firewall Types – Packet Filtering
UDP versus TCP
PBX Best Practices
Firewall Types – Proxy Firewalls
Protocols – ARP
Virtual Private
Firewall Types – Circuit-Level Proxy Firewall
Protocols – ICMP
Network Technologies
Type of Circuit- Level Proxy – SOCKS
Protocols – SNMP
What Is a Tunnelling Protocol?
Module 11 - Telephony, VPNs and Wireless
12
Tunnelling Protocols – PPTP
TKIP
Objectives of Security Architecture
Tunnelling Protocols – L2TP
The WPA MIC Vulnerability
Technology Domain Modeling
Tunnelling Protocols – IPSec
802.11i – WPA2
Integrated Security is Designed Security
IPSec - Network Layer Protection
WPA and WPA2 Mode Types
Security by Design
IPSec
WPA-PSK Encryption
Architectural Models
IPSec
Wireless Technologies – WAP
Virtual Machines
SSL/TLS
Wireless Technologies – WTLS
Cloud Computing
Wireless Technologies– Access Point
Wireless Technologies – Common Attacks
Memory Types
Standards Comparison
Wireless Technologies – War Driving
Virtual Memory
Wireless Network Topologies
Kismet
Memory Management
Wi-Fi Network Types
Wireless Technologies – Countermeasures
Accessing Memory Securely
Wireless Technologies – Access Point
Network Based Attacks
Different States that Processes Work In
Wireless Technologies – Service Set ID
ARP Attack
System Functionality
Wireless Technologies – Authenticating to an AP
DDoS Issues
Types of Compromises
Wireless Technologies – WEP
Man-in-the Middle
Disclosing Data in an Unauthorized Manner
WEP
Traceroute Operation
Circumventing Access Controls
Wireless Technologies –
More WEP Woes
Attacks
Module 12 - Security Architecture and Attacks
Attack Type – Race Condition
Weak IV Packets
ESA Definition…
Attack Type - Data Validation
More WEP Weaknesses
What is Architecture?
Attacking Through Applications
How WPA Improves on WEP
Architecture Components
How Buffers and Stacks Are Supposed to Work
How WPA Improves on WEP
Key Architecture Concepts - Plan
How a Buffer Overflow Works
13
Attack Characteristics
Modularity of Objects
Database Models – Relational Components
Attack Types
Object-Oriented Programming Characteristic
Foreign Key
More Attacks
Module Characteristics
Database Component
Host Name Resolution Attacks
Linking Through COM
Database Security Mechanisms
More Attacks (2)
Mobile Code with Active Content
Database Data Integrity Controls
Watching Network Traffic
World Wide Web OLE
Add-On Security
Traffic Analysis
ActiveX Security
Database Security Issues
Cell Phone Cloning
Java and Applets
Controlling Access
Illegal Activities
Common Gateway Interface
Database Integrity
How CGI Scripts Work
Data Warehousing
Cookies
Data Mining
How Did We Get Here?
PCI Requirements
Artificial Intelligence
Device vs. Software Security
Virtualization - Type 1
Expert System Components
Why Are We Not Improving at a Higher Rate?
Virtualization – Type 2
Artificial Neural Networks
Module 13 - Software Development Security
Usual Trend of Dealing with Security
Where to Implement Security
The Objective
Software Development Models
Module 14 - Database Security
and System Development
Project Development – Phases III, IV, and V
Project Development–Phases VI and VII
Security of Embedded Systems
Database Model
Verification versus Validation
Development Methodologies
Database Models – Hierarchical
Evaluating the Resulting Product
Maturity Models
Database Models – Distributed
Controlling How Changes Take Place
Security Issues
Database Models – Relational
Change Control Process
OWASP Top Ten (2011)
Database Systems
Administrative Controls
14
Module 15 - Business Continuity
Malware
Interdependencies
Virus
Phases of Plan
Identifying Functions’ Resources
More Malware
Who Is Ready?
How Long Can the Company Be Without These Re-
Rootkits and Backdoors
Pieces of the BCP
DDoS Attack Types
BCP Development
Calculating MTD
Escalation of Privilege
Where Do We Start?
Recovery Point Objective
Protect against privilege escalation
Why Is BCP a Hard Sell to Management?
Calculation of maximum data loss
DDoS Issues
Understanding the Organization
Determines backup strategy
DDoS
Critical products and services
Defines the most current state of data upon reco-
Buffer Overflow Definition
Dependencies
Overflow Illustration
Supply chain
Recovery Strategies
Mail Bombing
Between departments
Based on the results of the BIA
E-Mail Links
Personnel
May be different for each department
Phishing
Information
Must be less than MTD
Spear Phishing
Equipment
Sets the RTO
Replay Attack
Facilities
What Items Need to Be Considered in a Recovery?
Cross-Site Scripting Attack
BCP Committee
Facility Backups – Hot Site
Timing Attacks
BCP Risk Analysis
Facility Backups – Warm Site
More Advanced Attacks
Identify Vulnerabilities and Threats
Facility Backups – Cold Site
Summary
Categories
Compatibility Issues with Offsite Facility
How to Identify the Most Critical Company Functions
Which Do We Use?
Loss Criteria
Choosing Offsite Services
sources?
very
15
Subscription Costs
Recovery Strategy
Incidents
Choosing Site Location
Now What?
Incident Management Priorities
Other Offsite Approaches
Priorities
Incident Response Capability
BCP Plans Commonly and Quickly Become Out
Plan Objectives
Incident Management Requires
Defining Roles
Preparing for a Crime Before It Happens
The Plan
Incident Response Phases
Recovery
Types of Law
of Date
Summary
Module 16 - Disaster Recovery
Return to Normal Operations
Foundational Concepts of Law
Proper Planning
Environment
Common Laws – Criminal
Executive Succession Planning
Operational Planning
Common Laws – Civil
Preventing a Disaster
Emergency Response
Common Laws – Administrative
Preventive Measures
Reviewing Insurance
Intellectual Property Laws
Backup/Redundancy Options
When Is the Danger Over?
More Intellectual Property Laws
Disk Shadowing
Now What?
Software Licensing
Backing Up Over Telecommunication
Testing and Drills
Digital Millennium Copyright Act
Serial Lines
Types of Tests to Choose From
Historic Examples of Computer Crimes
HSM
What Is Success?
Who Perpetrates These Crimes?
SAN
Summary
The Evolving Threat
Co-Location
Other Options
Review - Results from the BIA
Review - Results from
Types of Motivation for Attacks
Module 17 - Incident Management,
Law, and Ethics
Seriousness of Computer Crimes
A Few Attack Types
Telephone Fraud
Identification Protection & Prosecution
16
Computer Crime and Its Barriers
Companies Can Be Found Liable
Perimeter Protection – Fencing
Countries Working Together
Sets of Ethics
Perimeter Protection – Lighting
Security Principles for International Use
Ethics – FTS
Perimeter Security – Security Guards
Determine if a Crime Has Indeed Been Committed
Ethics – Computer Ethics Institute
Surveillance/Monitoring
When Should Law Enforcement Get Involved?
Ethics – Internet Architecture Board
Types of Physical IDS
Citizen versus Law Enforcement Investigation
GAISP- Generally Accepted Information Security
Electro-Mechanical Sensors
Investigation of Any Crime
Principles
Role of Evidence in a Trial
General Rules for Evidence
Volumetric Sensors
Facility Attributes
Module 18 - Physical Security
Electrical Power
Evidence Requirements
Physical Security – Threats
Problems with Steady Power Current
Evidence Collection Topics
Different Types of Threats & Planning
Power Interference
Chain of Custody
Facility Site Selection
Power Preventive Measures
How Is Evidence Processed?
Facility Construction
Environmental Considerations
Evidence Types
Devices Will Fail
Fire Prevention
Hearsay Rule Exception
Controlling Access
Automatic Detector Mechanisms
Privacy of Sensitive Data
Possible Threats
Fire Detection
Privacy Issues – U.S. Laws as Examples
External Boundary Protection
Fire Types
European Union Principles on Privacy
Lock Types
Suppression Methods
Routing Data Through Different Countries
Facility Access
Fire Extinguishers
Employee Privacy Issues
Piggybacking
Fire Suppression
Computer Forensics
Securing Mobile Devices
Fire Extinguishers
Trying to Trap the Bad Guy
Entrance Protection
17
CPTE - PROGRAMMA TECNICO DI DETTAGLIO
COURSE DETAILS
Module 0: Course Overview
Appendix 1: The Basics
Module 1: Business and Technical
Appendix 2: Financial Sector Regulations
Logistics of Pen Testing
Appendix 3: Access Controls
Module 2: Linux Fundamentals
Appendix 4: Protocols
Module 3: Information Gathering
Appendix 5: Cryptography
Module 4: Detecting Live Systems
Appendix 6: Economics and Law
Module 5: Enumeration
Module 6: Vulnerability Assessments
Module 7: Malware Goes Undercover
Module 8: Windows Hacking
Module 9: Hacking UNIX/Linux
Module 10: Advanced Exploitation
Techniques
Module 11: Pen Testing Wireless Networks
Module 12: Networks, Sniffing and IDS
Module 13: Injecting the Database
Module 14: Attacking Web Technologies
Module 15: Project Documentation
18
DETAILED MODULE DESCRIPTION
Module 0: Course Introduction
Courseware Materials
Course Overview
Course Objectives
CPTEngineer Exam Information
Learning Aids
Labs
Class Prerequisites
Student Facilities
Module 1: Business and Technical
Logistics of Penetration Testing
Overview
What is a Penetration Test?
Benefits of a Penetration Test
Data Breach Insurance
CSI Computer Crime Survey
Recent Attacks & Security Breaches
What does a Hack cost you?
Internet Crime Complaint Center
The Evolving Threat
Security Vulnerability Life Cycle
Exploit Timeline
Zombie Definition
What is a Botnet?
How is a Botnet Formed?
Botnet Statistics
How are Botnet’s Growing?
Types of Penetration Testing
Hacking Methodology
Methodology for Penetration Testing
Penetration Testing Methodologies
Hacker vs. Penetration Tester
Not Just Tools
Website Review
Tool: SecurityNOW! SX
Seven Management Errors
Review
Module 2: Linux Fundamentals
Overview
Linux History: Linus + Minix = Linux
The GNU Operating System
Linux Introduction
Linux GUI Desktops
Linux Shell
Linux Bash Shell
Recommended Linux Book
Password & Shadow File Formats
User Account Management
Instructor Demonstration
Changing a user account password
Configuring Network Interfaces with Linux
Mounting Drives with Linux
Tarballs and Zips
Compiling Programs in Linux
Why Use Live Linux Boot CDs
Typical Linux Operating Systems
Most Popular: BackTrack
Review
Module 3: Information Gathering
Overview
What Information is gathered by the Hacker?
Organizing Collected Information
Leo meta-text editor
Free Mind: Mind mapping
IHMC CmapTools
Methods of Obtaining Information
Physical Access
Social Access
Social Engineering Techniques
Social Networks
Instant Messengers and Chats
Digital Access
Passive vs. Active Reconnaissance
Footprinting defined
Maltego
19
Maltego GUI
FireCAT
Footprinting tools
Google Hacking
Google and Query Operators
SiteDigger
Job Postings
Blogs & Forums
Google Groups / USENET
Internet Archive: The WayBack Machine
Domain Name Registration
WHOIS
WHOIS Output
DNS Databases
Using Nslookup
Dig for Unix / Linux
Traceroute Operation
Traceroute (cont.)
3D Traceroute
Opus online traceroute
People Search Engines
Intelius info and Background Check Tool
EDGAR For USA Company Info
Company House For British Company Info
Client Email Reputation
Web Server Info Tool: Netcraft
Footprinting Countermeasures
DOMAINSBYPROXY.COM
Review
Module 4: Detecting Live System
Overview
Introduction to Port Scanning
Port Scan Tips
Expected Results
Popular Port Scanning Tools
Stealth Online Ping
NMAP: Is the Host online
ICMP Disabled?
NMAP TCP Connect Scan
TCP Connect Port Scan
Tool Practice : TCP half-open & Ping Scan
Half-open Scan
Firewalled Ports
NMAP Service Version Detection
Additional NMAP Scans
Saving NMAP results
NMAP UDP Scans
UDP Port Scan
Advanced Technique
Tool: Superscan
Tool: Look@LAN
Tool: Hping2
Tool: Hping2
More Hping2
Tool: Auto Scan
OS Fingerprinting: Xprobe2
Xprobe2 Options
Xprobe2 –v –T21-500 192.168.XXX.XXX
Tool: P0f
Tool Practice: Amap
Tool: Fragrouter: Fragmenting Probe Packets
Countermeasures: Scanning
Review
Module 5: Enumeration
Enumeration Overview
Web Server Banners
Practice: Banner Grabbing with Telnet
SuperScan 4 Tool: Banner Grabbing
Sc
HTTPrint
SMTP Server Banner
DNS Enumeration
Zone Transfers from Windows 2000 DNS
Backtrack DNS Enumeration
Countermeasure: DNS Zone Transfers
SNMP Insecurity
SNMP Enumeration Tools
SNMP Enumeration Countermeasures
Active Directory Enumeration
LDAPMiner
20
AD Enumeration countermeasures
Null sessions
Syntax for a Null Session
Viewing Shares
Tool: DumpSec
Tool: Enumeration with Cain and Abel
NAT Dictionary Attack Tool
THC-Hydra
Injecting Abel Service
Null Session Countermeasures
Review
Module 6: Vulnerability Assessments
Overview
Vulnerabilities in Network Services
Vulnerabilities in Networks
Vulnerability Assessment Def
Vulnerability Assessment Intro
Testing Overview
Staying Abreast: Security Alerts
Vulnerability Research Sites
Vulnerability Scanners
Nessus
Nessus Report
SAINT – Sample Report
Tool: Retina
Qualys Guard
http://www.qualys.com/products/overview/
Tool: LANguard
Microsoft Baseline Analyzer
MBSA Scan Report
Dealing with Assessment Results
Patch Management
Other Patch Management Options
Module 7: Malware Goes Undercover
Overview
Distributing Malware
Malware Capabilities
Countermeasure: Monitoring Autostart Methods
Tool: Netcat
Netcat Switches
Netcat as a Listener
Executable Wrappers
Benign EXE’s Historically Wrapped with Trojans
Tool: Restorator
Tool: Exe Icon
The Infectious CD-Rom Technique
Trojan: Backdoor.Zombam.B
Trojan: JPEG GDI+
All in One Remote Exploit
Advanced Trojans: Avoiding Detection
BPMTK
Malware Countermeasures
Gargoyle Investigator
Spy Sweeper Enterprise
CM Tool: Port Monitoring Software
CM Tools: File Protection Software
CM Tool: Windows File Protection
CM Tool: Windows Software
Restriction Policies
CM Tool: Hardware Malware Detectors
Countermeasure: User Education
Module 8: Windows Hacking
Overview
Password Guessing
Password Cracking LM/NTLM Hashes
LM Hash Encryption
NT Hash Generation
Syskey Encryption
Cracking Techniques
Precomputation Detail
Creating Rainbow Tables
Free Rainbow Tables
NTPASSWD:Hash Insertion Attack
Password Sniffing
Windows Authentication Protocols
Hacking Tool: Kerbsniff&KerbCrack
Countermeasure: Monitoring Logs
Hard Disk Security
21
Breaking HD Encryption
Tokens & Smart Cards
USB Tokens
Covering Tracks Overview
Disabling Auditing
Clearing and Event log
Hiding Files with NTFS Alternate Data Stream
NTFS Streams countermeasures
What is Steganography?
Steganography Tools
Shedding Files Left Behind
Leaving No Local Trace
Tor: Anonymous Internet Access
How Tor Works
TOR + OpenVPN= Janus VM
Encrypted Tunnel Notes:
Hacking Tool: RootKit
Windows RootKit Countermeasures
Module 9: Hacking UNIX/Linux
Overview
Introduction
File System Structure
Kernel
Processes
Starting and Stopping Processes
Interacting with Processes
Command Assistance
Interacting with Processes
Accounts and Groups
Password & Shadow File Formats
Accounts and Groups
Linux and UNIX Permissions
Set UID Programs
Trust Relationships
Logs and Auditing
Common Network Services
Remote Access Attacks
Brute-Force Attacks
Brute-Force Countermeasures
X Window System
X Insecurities Countermeasures
Network File System (NFS)
NFS Countermeasures
Passwords and Encryption
Password Cracking Tools
Salting
Symbolic Link
Symlink Countermeasure
Core File Manipulation
Shared Libraries
Kernel Flaws
File and Directory Permissions
SUID Files Countermeasure
File and Directory Permissions
World-Writable Files Countermeasure
Clearing the Log Files
Rootkits
Rootkit Countermeasures
Review
Module 10: Advanced Exploitation Techniques
Overview
How Do Exploits Work?
Format String
Race Conditions
Memory Organization
Buffer OverFlows
Buffer Overflow Definition
Overflow Illustration
How Buffers and Stacks Are
Supposed to Work
Stack Function
How a Buffer Overflow Works
Buffer Overflows
Heap Overflows
Heap Spraying
Prevention
Security Code Reviews
Stages of Exploit Development
Shellcode Development
The Metasploit Project
22
The Metasploit Framework
Meterpreter
Fuzzers
SaintExploit at a Glance
SaintExploit Interface
Core Impact Overview
Review
Module 11: Pen Testing Wireless Networks
Overview
Standards Comparison
SSID (Service Set Identity)
MAC Filtering
Wired Equivalent Privacy
Weak IV Packets
WEP Weaknesses
XOR – Encryption Basics
How WPA improves on WEP
TKIP
The WPA MIC Vulnerability
802.11i - WPA2
WPA and WPA2 Mode Types
WPA-PSK Encryption
LEAP
LEAP Weaknesses
NetStumbler
Tool: Kismet
Tool: Aircrack-ng Suite
Tool: Airodump-ng
Tool: Aireplay
DOS: Deauth/disassociate attack
Tool: Aircrack-ng
Attacking WEP
Attacking WPA
coWPAtty
Exploiting Cisco LEAP
asleap
WiFiZoo
Wesside-ng
Typical Wired/Wireless Network
802.1X: EAP Types
EAP Advantages/Disadvantages
EAP/TLS Deployment
New Age Protection
Aruba – Wireless Intrusion Detection and Prevention
RAPIDS Rogue AP Detection Module
Review
Module 12: Networks, Sniffing, IDS
Overview
Example Packet Sniffers
Tool: Pcap&WinPcap
Tool: Wireshark
TCP Stream Re-assembling
Tool: Packetyzer
tcpdump&windump
Tool: OmniPeek
Sniffer Detection Using Cain & Abel
Active Sniffing Methods
Switch Table Flooding
ARP Cache Poisoning
ARP Normal Operation
ARP Cache Poisoning Tool
Countermeasures
Tool: Cain and Abel
Ettercap
Linux Tool Set: Dsniff Suite
Dsniff Operation
MailSnarf, MsgSnarf, FileSnarf
What is DNS spoofing?
Tools: DNS Spoofing
Session Hijacking
Breaking SSL Traffic
Tool: Breaking SSL Traffic
Tool: Cain and Abel
Voice over IP (VoIP)
Intercepting VoIP
Intercepting RDP
Cracking RDP Encryption
Routing Protocols Analysis
Countermeasures for Sniffing
Countermeasures for Sniffing
23
Evading The Firewall and IDS
Evasive Techniques
Firewall – Normal Operation
Evasive Technique -Example
Evading With Encrypted Tunnels
Newer Firewall Capabilities
‘New Age’ Protection
Networking Device – Bastion Host
Spyware Prevention System (SPS)
Intrusion ‘SecureHost’ Overview
Intrusion Prevention Overview
Review
Module 13: Injecting the Database
Overview
Vulnerabilities & Common Attacks
SQL Injection
Impacts of SQL Injection
Why SQL “Injection”?
SQL Injection: Enumeration
SQL Extended Stored Procedures
Direct Attacks
SQL Connection Properties
Attacking Database Servers
Obtaining Sensitive Information
Hacking Tool: SQLScan
Hacking Tool: osql.exe
Hacking Tool: Query Analyzers
Hacking Tool: SQLExec
www.petefinnegan.com
Hacking Tool: Metasploit
Finding & Fixing SQL Injection
Hardening Databases
Review
Module 14: Attacking Web Technologies
Overview
Web Server Market Share
Common Web Application Threats
Progression of a Professional Hacker
Anatomy of a Web Application Attack
Web Applications Components
Web Application Penetration Methodologies
URL Mappings to Web Applications
Query String
Changing URL Login Parameters
Cross-Site Scripting (XSS)
Injection Flaws
Unvalidated Input
Unvalidated Input Illustrated
Impacts of Unvalidated Input
Finding & Fixing Un-validated Input
Attacks Against IIS
Unicode
IIS Directory Traversal
IIS Logs
Other Unicode Exploitations
N-Stalker Scanner 2009
NTOSpider
HTTrack Website Copier
Wikto Web Assessment Tool
SiteDigger v3.0
Paros Proxy
Burp Proxy
Brutus
Dictionary Maker
Cookies
Acunetix Web Scanner
Samurai Web Testing Framework
Module 15: Project Documentation
Overview
Additional Items
The Report
Report Criteria:
Supporting Documentation
Analyzing Risk
Report Results Matrix
Findings Matrix
Delivering the Report
Stating Fact
24
Recommendations
Executive Summary
Technical Report
Report Table Of Contents
Summary Of Security Weaknesses Identified
Scope of Testing
Summary Recommendations
Summary Observations
Detailed Findings
Strategic and Tactical Directives
Statement of Responsibility / Appendices
Review
Appendix
Appendix 1: The Basics
Overview
The Growth of Environments and Security
Our motivation…
The Goal: Protecting Information!
CIA Triad in Detail
Approach Security Holistically
Security Definitions
Definitions Relationships
Method: Ping
The TCP/IP stack
Recommended Video: It’s Showtime
Which services use which ports?
TCP 3-Way Handshake
TCP Flags
Malware
Types of Malware
Types of Malware Cont...
Types of Viruses
More Malware: Spyware
Trojan Horses
Back Doors
DDoS Issues
DDoS
Packet Sniffers
Passive Sniffing
Active Sniffing
Firewalls, IDS and IPS
Firewall – First line of defense
IDS – Second line of defense
IPS – Last line of defense?
Firewalls
Firewall Types: (1) Packet Filtering
Firewall Types: (2) Proxy Firewalls
Firewall Types – Circuit-Level Proxy Firewall
Type of Circuit-Level Proxy – SOCKS
Firewall Types – Application-Layer Proxy
Firewall Types: (3) Stateful
Firewall Types: (4) Dynamic Packet-Filtering
Firewall Types: (5) Kernel Proxies
Firewall Placement
Firewall Architecture Types – Screened Host
Multi- or Dual-Homed
Screened Subnet
Wi-Fi Network Types
Widely Deployed Standards
Standards Comparison
802.11n - MIMO
Overview of Database Server
Types of databases
Overview of Database Server
Review
Appendix 2: Financial Sector Regulations
Pertaining to Pen Testing
Overview
IT Governance Best Practice
IT Risk Management
Types of Risks
Information Security Risk Evaluation
Improving Security Posture
Risk Evaluation Activities
Risk Assessment
Information Gathering
Data Classification
Threats and Vulnerabilities
25
Analytical Methods
Evaluate Controls
Evaluate Controls
Risk Ratings
Important Risk Assessment Practices
Compliance
Many Regulations
Basel II
Gramm-Leach-Bliley-Act 1999 Title V
Federal Financial Examination Institution Council FFIEC
Sarbanes-Oxley Act (SOX 404) 2002
IT Applications and Security
Internal Control: SOX
SOX: Business or IT Issue?
IT Issue for SOX
ISO 27002
ISO 27002: Control Components
Background on PCI
Dirty Dozen
Change Control and Auditing
Total Cost of Compliance
What does this mean to the tech?
Review
Appendix 3: Access Controls
Overview
Role of Access Control
Definitions
Categories of Access Controls
Physical Controls
Logical Controls
“Soft” Controls
Security Roles
Steps to Granting Access
Access Criteria
Physical Access Control Mechanisms
Biometric System Types
Synchronous Token
Asynchronous Token Device
Memory Cards
Smart Card
Cryptographic Keys
Logical Access Controls
OS Access Controls
Review
Appendix 4: Protocols
Protocols Overview
OSI – Application Layer
OSI – Presentation Layer
OSI – Session Layer
Transport Layer
OSI – Network Layer
OSI – Data Link
OSI – Physical Layer
Protocols at Each OSI Model Layer
TCP/IP Suite
Port and Protocol Relationship
Conceptual Use of Ports
UDP versus TCP
Protocols – ARP
Protocols – ICMP
Network Service – DNS
SSH Security Protocol
SSH
Protocols – SNMP
Protocols – SMTP
Review
Appendix 5: Cryptography
Overview
Introduction
Encryption
Cryptographic Definitions
Encryption Algorithm
Implementation
Symmetric Encryption
26
Symmetric Downfalls
Symmetric Algorithms
Crack Times
Asymmetric Encryption
Public Key Cryptography Advantages
Asymmetric Algorithm Disadvantages
Asymmetric Algorithm Examples
Key Exchange
Symmetric versus Asymmetric
Using the Algorithm Types Together
Instructor Demonstration
Hashing
Common Hash Algorithms
Birthday Attack
Example of a Birthday Attack
Generic Hash Demo
Instructor Demonstration
Security Issues in Hashing
Hash Collisions
MD5 Collision Creates Rogue Certificate Authority
Hybrid Encryption
Digital Signatures
SSL/TLS
SSL Connection Setup
SSL Hybrid Encryption
SSH
IPSec - Network Layer Protection
Public Key Infrastructure
Quantum Cryptography
Attack Vectors
Network Attacks
More Attacks (Cryptanalysis)
Appendix 6: Economics and Law
Security Incentives & Motivations
What motivates us to promote security?
Security Incentives & Motivations
What motivates others to attack security?
What is Your Weakest Link?
What Is the Value of an Asset?
Examples of Some Vulnerabilities that Are
Not Always Obvious
Categorizing Risks
Some Examples of Types of Losses
Different Approaches to Analyzing Risks
Who Uses What Analysis Type?
Qualitative Analysis Steps
Quantitative Analysis
Can a Purely Quantitative Analysis Be Accomplished?
Comparing Cost and Benefit
Cost of a Countermeasure
Cyber Crime!
Not Just Fun and Games
Examples of Computer Crimes
Who Perpetrates These Crimes?
A Few Attack Types
Telephone Fraud
Identification Protection & Prosecution
Privacy of Sensitive Data
Privacy Issues – U.S. Laws as Examples
European Union Principles on Privacy
Routing Data Through Different Countries
Employee Privacy Issues
U.S. LAW
Common Laws – Civil
Common Laws – Criminal
Common Laws – Administrative
U.S. Federal Laws
Intellectual Property Laws
More Intellectual Property Laws
Software Licensing
Digital Millennium Copyright Act
Investigating
Computer Crime and Its Barriers
Countries Working Together
Security Principles for International Use
Bringing in Law Enforcement
Investigation of Any Crime
Role of Evidence in a Trial
Evidence Requirements
Chain of Custody
How Is Evidence Processed?
27
Evidence Types
Hearsay Rule Exception
Responding to an Incident
Preparing for a Crime Before It Happens
Incident Handling
Evidence Collection Topics
Computer Forensics
Trying to Trap the Bad Guys
Module 2 Lab – Linux Fundamentals
Exercise 1 – ifconfig
Exercise 2 – Mounting a USB Thumb Drive
Exercise 3 – Mount a Windows partition
Exercise 4 – VNC Server
Exercise 5 – Preinstalled tools in BackTrack 5
Module 3 Lab – Information Gathering
DETAILED HANDS-ON LABORATORY OUTLINE
Module 0 Lab
Documentation for CPTC Final Report
Exercise 1 – Documentation of the assigned tasks
Module 1 Lab – Getting Set Up
Exercise 1 – Naming and subnet assignments
Exercise 2 – Discovering your class share
Exercise 3 – VM Image Preparation
Exercise 4 – Discovering the Student Materials
Exercise 5 – PDF Penetration Testing Methodology’s
review
Exercise 1 – Google Queries
Exercise 2 – Footprinting Tools
Exercise 3 – Getting everything you need with Maltego
Exercise 4 – Using Firefox for Pen Testing
Exercise 5 – Documentation of the assigned tasks
Module 5 Lab – Reconnaisance
Exercise 1 – Banner Grabbing
Exercise 2 – Zone Transfers
Exercise 3 – SNMP Enumeration
Exercise 4 – LDAP Enumeration
Exercise 5 – Null Sessions
Exercise 6 – SMB Enumeration
Exercise 7 – SMTP Enumeration
Exercise 8 – Documentation of the assigned tasks
Module 6 Lab – Vulnerability Assessment
Exercise 1 – Run Nessus for Windows
Exercise 2 –Run Saint
Exercise 3 – Documentation of the assigned tasks
Module 4 Lab – Detecting Live Systems
Exercise 1 – Look@LAN
Exercise 2 – Zenmap
Exercise 3 – Zenmap in BackTrack 5
Exercise 4 – NMAP Command Line
Exercise 5 – Hping2
Exercise 6 – Unicornscan
Exercise 7 – Documentation of the assigned tasks
Module 7 Lab – Malware
Exercise 1 – Netcat (Basics of Backdoor Tools)
Exercise 2 – Exploiting and Pivoting our Attack
Exercise 3 – Creating a Trojan
Exercise 4 – Documentation of the assigned tasks
28
Module 8 Lab – Windows Hacking
Exercise 1 – Cracking a Windows Password with Linux
Exercise 2 – Cracking a Windows Password with Cain
Exercise 3 – Covering your tracks via Audit Logs
Exercise 4 – Alternate Data Streams
Exercise 5 – Stegonagraphy
Exercise 6 – Understanding Rootkits
Exercise 7- Windows 7 Client Side Exploit (Browser)
Exercise 8- Windows 2008 SMBv2 Exploit
Exercise 9 – Documentation of the assigned tasks
Module 9 Lab – Hacking UNIX/Linux
Exercise 1 – Setup and Recon – Do you remember how?
Exercise 2 – Making use of a poorly configured service
Exercise 3 – Cracking a Linux password
Exercise 4 – Creating a backdoor and covering
our tracks
Exercise 5 – Documentation of the assigned tasks
Module 10 Lab – Advanced Vulnerability
and Exploitation Techniques
Exercise 1 – Metasploit Command Line
Exercise 2 – Metasploit Web Interface
Exercise 3 – Exploit-DB.com
Exercise 4 – Saint
Exercise 5 – Documentation
Module 11 Lab – Attacking Wireless Networks
Exercise 1 – War Driving Lab
Exercise 2 – WEP Cracking Lab (classroom only)
Exercise 3 – Documentation
Module 12 Lab – Networks, Sniffing and IDS
Exercise 1 – Capture FTP Traffic
Exercise 2 – ARP Cache Poisoning Basics
Exercise 3 – ARP Cache Poisoning - RDP
Exercise 4 – Documentation
Module 13 Lab – Database Hacking
Exercise 1 – Hacme Bank – Login Bypass
Exercise 2 – Hacme Bank – Verbose Table Modification
Exercise 3 – Hacme Books – Denial of Service
Exercise 4 – Hacme Books – Data Tampering
Exercise 5 – Documentation of the assigned tasks
Module 14 Lab – Hacking Web Applications
Exercise 1 – Input Manipulation
Exercise 2 – Shoveling a Shell
Exercise 3 – Hacme Bank – Horizontal Privilege
Escalation
Exercise 4 – Hacme Bank – Vertical Privilege
Escalation
Exercise 5 – Hacme Bank – Cross Site Scripting
Exercise 6 – Documentation of the assigned tasks
A5 Lab – Cryptography
Exercise 1 – Caesar Encryption
Exercise 2 – RC4 Encryption
Exercise 3 – IPSec Deployment
Post-Class Lab – CORE IMPACT
Exercise 1 – CORE IMPACT
29
Contatti
Milano, via Assietta 19
(presso Quanta Village - Sport & Lavoro)
T. 02 540654 54 - 02 540654 38
[email protected]
quantaformazione.com
30